Cookies are not removed on logout

Description

On Edge cookies are not removed on logout if the user agent time is behind the server time.
It seems that the Edge browser does not check the time given in the response but interprets the expiry date to be absolute given the user agent time. Hence, if the system time is behind a minute for some reason signing out will take a minute.

To repeat:
1) make sure the user agent time (operating systems time) is behind at least a minute
2) Sign in and then sign out
3) Sign in again

The effect is that even you do not see that you are signed in since the request to verify the user will still send along the old cookie which is still valid (a minute or so more) which has been invalidated at the server.

Two possible fixes:
1) Check all provided cookies from the client, when a valid is discovered == success.
2) Set the expiry date further back in time, hoping that the system time is not totally off.

Regarding 1), it should always work and in the majority of the cases there will only be one cookie making the impact on the server minimal
Regarding 2), it may not always work if the user agent time is way wrong, but this will proably cause other problems as well, hence this could probably be ignored.

Environment

None

Activity

Show:
Matthias Palmér
May 8, 2016, 2:42 PM

Verified that the solution works on Edge on Windows.
Also still works as expected on chrome on linux, assuming no change in other browsers either.

Hannes Ebner
May 8, 2016, 1:43 PM

Implemented custom cookie expiration code to resolve issue with solution #2 in report. Solution #1 has the potential to accept several logged in users at the same time whose credentials may be picked at random, opening up for a few not so nice and difficult to debug error conditions.

Hannes Ebner
May 8, 2016, 1:41 PM

Setting cookie expiration date in the past to overcome shortcomings of certain clients

Fixed

Assignee

Hannes Ebner

Reporter

Matthias Palmér

Labels

None

Components

Fix versions

Priority

Critical